oAuth 2 scopes

**rkroll** · Jul 25th, 2011, 10:33 AM

We are currently implementing an API and would like to use oAuth 2 to manage access to resources. We have planned to use oAuth scopes to control permissions to various user resources. I cannot see in the current API how to assign scopes nor how to read them or to define security restrictions around them. Can someone point in the right direction to get scopes functioning under spring security oauth2?

Thanks!

**stoicflame** · Jul 25th, 2011, 04:18 PM

It's just an attribute on the oauth:resource configuration element.

**rkroll** · Jul 25th, 2011, 08:26 PM

I though the oauth:resource element was for configuring access as a client of remote oAuth 2 protected resources, not configuring provider resources?

**stoicflame** · Jul 26th, 2011, 05:55 PM

Sorry, I didn't read your question carefully enough.

On the provider-side, it's a matter of adding scopes to the definition of each client. For the in-memory implementation, it looks like:

Code:

  <oauth:client-details-service id="...">
    <oauth:client clientId="..." authorizedGrantTypes="..." authorities="..." scope="..."/>
  </oauth:client-details-service>

**rkroll** · Jul 27th, 2011, 01:47 PM

Thanks for the response! I understand now how to assign a list of scopes to a client, but how I do not see how I can utilize those scopes within my application. As an example, assume I have two scopes (permissions) "user_profile" and "user_events" which are accessed via the urls "/user/{username}/profile" and "/user/{username}/events". I can see how I could use the scope parameter on the client configuration to request the two scopes, but how do I ensure the client has those scopes when they are requesting a resource? I do not see any configuration to specify that a client requesting the url "/user/{username}/profile" must have the "user_profile" scope. However, I do see that there is a ClientAuthenticationToken which contains the granted scope(s) - is the intent that this would be checked in-application and the Authentication would be cast to the ClientAuthenticationToken and the scopes checked there? I'm feeling a bit lost here, so thanks for taking the time to walk through this. I am hoping to find a clean way to map scope(s) to api endpoint to control permissions.

**stoicflame** · Jul 27th, 2011, 02:14 PM

Okay, I get it now.

Ya, the only way to do that right now is to open up the ClientAuthenticationToken and look for yourself. This should be much easier. I've created a JIRA issue to track this:

https://jira.springsource.org/browse/SECOAUTH-88

**rkroll** · Jul 27th, 2011, 02:42 PM

Thanks, I'll be sure to watch it! Speaking to an implementation, it almost seems like there would need to be a new EL expression for the spring security <intercept-url> element which would take a delimited list of scopes. Something like:

Code:

<intercept-url pattern="/user/*/profile" access="hasOAuth2Scope('user_profile')" />

Thread: oAuth 2 scopes

Thread Tools

Display

oAuth 2 scopes

Tags for this Thread

Posting Permissions